In the aftermath of bombshell reports of a massive data breach that may have compromised the personal information of as many as 533 million users, Facebook has committed absolutely to trying to spin the leak as old news, no big deal, definitely nothing to see here, no need to even think about this too much at all, really.
In a blog post published after 6 p.m. on Tuesday night, Mike Clark, Facebook’s product management director, directly alludes to an April 3 Business Insider article that reported that a hacker had published the personal data of hundreds of millions of Facebook users online for free over the weekend. In the post, however, Clark attempts to downplay the breach as a previously reported-on threat — one which is no longer active or pertinent to current users.
“We believe the data in question was scraped from people’s Facebook profiles by malicious actors using our contact importer prior to September 2019,” Clark writes. “...When we became aware of how malicious actors were using this feature in 2019, we made changes to the contact importer. In this case, we updated it to prevent malicious actors from using software to imitate our app and upload a large set of phone numbers to see which ones matched Facebook users.”
Facebook also says that it’s “confident that the specific issue that allowed [hackers] to scrape this data in 2019 no longer exists” — but that will likely be little comfort to users whose data is currently sitting exposed in an online trove for all the world to see.
The admission that Facebook knew of the hacks as early as 2019, but chose not inform users that their data had been compromised, is pretty wild in and of itself, particularly in light of the Cambridge Analytica data scandal that rocked the company less than five years ago. And yet, Clark’s insinuation that the data breach is a non-story is also being echoed by Facebook’s cronies all over Twitter, with communications officials Liz Bourgeois and Andy Stone chiming in on April 3 with statements about how reports of the breach were based on “old data” and that Facebook had “found and fixed this issue in August 2019.”
That timeline becomes more interesting when you remember that in 2018, the European Union passed the General Data Protection Regulation, or GDPR, which, among other things, exists to ensure that large, data-mining tech giants like Facebook are more transparent with users about how their information is being used — which includes disclosing instances where their data has been compromised. But in its own statement on the breach, the Data Protection Commission of Ireland recently claimed that Facebook responded to its requests for clarification by advising that the datasets appeared to have been scraped between June 2017 and April 2018 — conveniently, just one month before the GDPR went into effect.
“Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR,” the post reads.
How very lucky for Facebook that these data breaches would have been caught just one month before the platform was obligated to report them to the public, and that the fixes to the vulnerabilities were so thorough that users don’t even need to worry about the specifics of them after the fact. Looks like there’s nothing more to see here, folks!
The data leak in question, originally published in a “low-level hacking forum,” according to Insider, exposed data from users in at least 106 countries, including over 32 million based in the US, and included personal identifiers such as phone numbers, Facebook IDs, full names, locations, birthdates and, in some cases, email addresses. If you’re interested in checking to see if you’ve been compromised, the websites The News Each Day and HaveIBeenPwned have simple tools you can use to cross-reference your phone number with what’s been leaked online.